Configure SAML single sign-on

SAML is a standard protocol for authenticating users during inbound single sign-on (SSO). These instructions detail how to configure Medallia Experience Cloud as a service provider (SP) using SAML to authenticate users via the company's single sign-on identity provider (IdP).

The general steps to implement SAML SSO are:

  1. Collect the requisite information — Necessary to complete the implementation, as described in Before you begin.

  2. Configure the service provider (SP) settings in the instance — Include the URL users use to connect to the Experience Cloud instance, and the public key portion of the trusted certificate.

  3. Provide the above information to the identity provider (IdP) — IdP recognizes communications from, and know how to communicate to the instance.

  4. IdP provides metadata — Describes how the instance communicates with the IdP and interpret the authorization information the IdP provides.

  5. Configure the IdP settings in the instance .

  6. Configure the verification mechanism — Based on the information the IdP provides in each authorization. For more information, Process the assertion to identify the account.

  7. Test the process.

Before you begin

Before setting up SAML inbound single sign-on, collect this information:

RequisiteDescription
IdP support for SAML relayState query parameter Verifies the IdP can handle the SAML relayState query parameter when processing the authentication request. On Medallia Mobile, if not set up properly, the app shows the Medallia Web reporting default page after completing the sign-in.
Note: For more information, see Redirect to IdP SSO Service.
SP issuer The URL users use to connect to the Medallia Web reporting instance.
Error Redirect URL Optional. The URL, if any, to send the user to after an authentication error.
Logout Redirect URL The URL to send the user to after signing out.
Assertion Attribute Name The name of the assertion attribute in the SAML response that identifies the user's account. This is used to create an account, and to sign the user into the application.

Process the assertion to identify the account

When the IdP sends an authorization, the Experience Cloud instance interprets the assertion to verify the account, and to optionally create or update an account if needed. There are two ways to process accounts based on the value in the assertion:

Verify existing accounts based on the Username or Company ID — This method only works when the value in the <AttributeName> value matches (case-insensitive) the value of an existing Username or Company Id.

Verify, update, and/or create accounts using an Auto Importer specification — This option is more flexible and can be used to process the ID value before performing the authorization activity. For example, the Username value must be lowercase, and an Auto Importer specification can process the assertion value to make it lowercase before performing a verification.